b'Report No. D-2008-114           July 24, 2008\n\n\n\n\nAccountability for Defense Security Service Assets\n    With Personally Identifiable Information\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Department of\n  Defense Inspector General at http://www.dodig.mil/audit/reports or contact the\n  Secondary Reports Distribution Unit at (703) 604-8937 (DSN 664-8937) or fax\n  (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Office of the Deputy\n  Inspector General for Auditing at (703) 604-9142 (DSN 664-9142) or fax (703)\n  604-8932. Ideas and requests can also be mailed to:\n\n                       ODIG-AUD (ATTN: Audit Suggestions)\n                       Department of Defense Inspector General\n                         400 Army Navy Drive (Room 801)\n                             Arlington, VA 22202-4704\n\n\n\n\nAcronyms\nASD(NII)/CIO          Assistant Secretary of Defense (Networks and Information\n                         Integration)/DoD Chief Information Officer\nCAC                   Common Access Card\nDMDC                  Defense Manpower Data Center\nDPAS                  Defense Property Accountability System\nDRMO                  Defense Reutilization and Marketing Office\nDSS                   Defense Security Service\nIG                    Inspector General\nOMB                   Office of Management and Budget\nOPM                   Office of Personnel Management\nOSD                   Office of the Secretary of Defense\nPII                   Personally Identifiable Information\nPSI                   Personnel Security Investigation\nUS-CERT               U.S. Computer Emergency Readiness Team\nUSD(AT&L)             Under Secretary of Defense for Acquisition, Technology, and\n                         Logistics\n\x0c                                     INSPECTOR GENERAL\n                                    DEPARTMENT OF DEFENSE\n                                     400 ARMY NAVY DRIVE\n                                ARLINGTON, VIRGINIA 22202-4704\n                                                                                       July 24, 2008\n\nMEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR ACQUISITION,\n                 TECHNOLOGY, AND LOGISTICS\n               UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE\n               DIRECTOR OF ADMINISTRATION AND MANAGEMENT\n               DIRECTOR, DEFENSE SECURITY SERVICE\n\n SUBJECT: Report on Accountability for Defense Security Service Assets With Personally\n          Identifiable Infonnation (Report No. D-2008-114)\n\n\n      We are providing this report for review and comment. We considered management\n comments on a draft ofthis report in preparing the final report.\n\n         DoD Directive 7650.3 requires that all recommendations be resolved promptly. We\n request that the Under Secretary of Defense for Acquisition, Technology, and Logistics provide\n additional comments on Recommendation 2.b. As a result of management comments, we revised\n Recommendation 3. to clarify our intention. We request that the Director of Administration and\n Management provide additional comments on revised Recommendation 3. In addition, based on\n events that occurred after the issuance of the draft report, we removed Recommendations l.f., l.g.,\n l.h., and l.i. and renumbered the other parts of Recommendation 1. accordingly. Management\n should provide comments on the final report by August 25, 2008.\n\n         If possible, please send management comments in electronic fonnat (Adobe Acrobat file\n only) to AUDROS@dodig.mil. Copies of the management comments must contain the actual\n signature ofthe authorizing official. We cannot accept the / Signed / symbol in place of the actual\n signature. If you arrange to send classified comments electronically, they must be sent over the\n SECRET Internet Protocol Router Network (SIPRNET).\n\n        We appreciate the courtesies extended to the staff as well as the excellent assistance\n provided by the DSS staff. Questions should be directed to Ms. Rhonda L. Ragsdale at (703)\n 604-9347 (DSN 664-9347) or to Mr. Robert P. Goldberg at (703) 604-9218 (DSN 664-9218). See\n Appendix E for the report distribution. The team members are listed inside the back cover.\n\n\n\n                                                                /~~---\n                                                                 PauUGranetto\n                                                      Principal Assistant Inspector General\n                                                                  for Auditing\n\x0c\x0c               Department of Defense Office of Inspector General\nReport No. D-2008-114                                                         July 24, 2008\n\n   (Project No. D2007-D000LC-0042.000)\n\n               Accountability for Defense Security Service Assets\n                   With Personally Identifiable Information\n\n                                  Executive Summary\n\nWho Should Read This Report and Why? The management at the Defense Security\nService (DSS) and personnel concerned with property accountability should read this report\nbecause it discusses accountability for assets that contain personally identifiable information\n(PII) and the requirements for reporting unauthorized disclosure of PII.\n\nBackground. DSS provides the Secretary of Defense, DoD Components, and Defense\ncontractors security support services. In February 2005, DSS transferred responsibility for\nthe personnel security investigation function to the Office of Personnel Management\n(OPM), along with 1,567 DSS employees. The former Director of DSS also transferred\ncommon access cards (CACs), safes, laptops, and auxiliary hard drives to OPM.\n\nResults. DSS management in place during the transfer of the personnel security\ninvestigation function to OPM created a lack of accountability for assets, posing an undue\nrisk of compromising PII for military, civilian, and contractor employees who were\ninvestigated for personnel security clearances between 1997 and 2005. Through substantial\nefforts of its current management, DSS located and confirmed by unique identifier 308 of an\nestimated 501 initially unaccounted-for laptops. DSS obtained additional information\ndemonstrating reasonable assurance that the remaining 193 laptops did not leave control of\nGovernment personnel; therefore, PII contained on the laptops is not at risk. Although DSS\nhas accounted for the 501 initially unaccounted-for laptops, the initial listing of 501 laptops\nwas not accurate. Additional laptops may still need to be accounted for.\n\nDSS demonstrated to the Defense Privacy Office that there was no indication the\nunaccounted-for laptops had left the control of Government personnel. Based on the\ninformation provided by Defense Security Service, the Defense Privacy Office concluded\nthat the risk of unauthorized disclosure of PII was not high enough to warrant public\nnotification. Consequently, DSS did not issue a public notification. Although the Defense\nPrivacy Office determined no public notification was warranted, a risk of unauthorized\ndisclosure of PII still exists if laptops still remain unaccounted-for. To prevent recurrence\nof a lack of accountability for assets, the Director of the Defense Security Service should\nimplement controls over property that contains sensitive or classified information or PII,\nconduct periodic physical inventories of assets that contain PII, and track assets containing\nPII by unique identifier.\n\nAlthough the current DSS management inherited inaccurate property records, it is\nresponsible for correcting them. A review of 50 DSS property records showing custody of\nelectronic devices such as laptops showed only 23 of 50 property records were accurate.\nDSS internal controls were not adequate. We identified material weaknesses in property\n\x0caccountability for DSS assets. Current DSS management is aware of the weaknesses and\nhas developed an action plan with objectives for FY 2008.\n\nManagement Comments and Audit Response. The Director of Acquisition Resources\nand Analysis in the Office of the Under Secretary of Defense for Acquisition, Technology,\nand Logistics (USD[AT&L]) provided comments. She concurred with revising DoD\nInstruction 5000.64 to state that the policy applies to mobile computing devices including\nbut not limited to laptops, mobile information storage devices, and auxiliary hard drives,\nregardless of dollar threshold. She partially concurred with requiring that all DoD\nComponents include unique identifiers on Defense Reutilization and Marketing Office\n(DRMO) turn-in documents when disposing of laptops and other electronic devices that\nmay contain PII. The Director stated guidance in two memoranda not cited in the report\nmay eliminate the need for the recommendation. The memoranda are:\n\n       \xe2\x80\xa2   Deputy Secretary of Defense Directive Memorandum, \xe2\x80\x9cDisposition of\n           Unclassified DoD Computer Hard Drives,\xe2\x80\x9d May 29, 2001; and\n\n       \xe2\x80\xa2   Assistant Secretary of Defense for Command, Control and Communications\n           Memorandum, \xe2\x80\x9cDisposition of Unclassified DoD Computer Hard Drives,\xe2\x80\x9d June\n           4, 2001.\n\nWhile we considered the response to the recommendation to update DoD\nInstruction 5000.64 responsive, we ask the Director to reconsider her position on the\nrecommendation regarding unique identifiers on DRMO turn-in documents and provide\ncomments by August 25, 2008. The suggested guidance does not address accountability for\nlaptops as they are turned in to the DRMO for disposal.\n\nThe DoD Senior Agency Official for Privacy did not concur with our recommendation to\ncontinue working with the Assistant Secretary of Defense (Networks and Information\nIntegration)/DoD Chief Information Officer and the USD(AT&L) to develop overarching\nguidance on the protection of PII on mobile computing devices. The Senior Agency\nOfficial stated that overarching guidance would create confusion. We clarified the\nrecommendation. Its intent was to create one memorandum that would direct DoD officials\nto the proper guidance on protecting PII, accounting for assets that are sensitive, and\nreporting a potential breach of PII. We request that the Senior Agency Official for Privacy\ncomment on the revised recommendation by August 25, 2008.\n\nThe DSS Director concurred with six of the recommendations and nonconcurred with four.\nThe Director determined that the two recommendations related to unaccounted-for\nlaptops\xe2\x80\x94to continue coordinating with OPM to locate additional laptops, and to plan and\nmitigate the risk of unauthorized disclosure of PII\xe2\x80\x94were no longer necessary because DSS\nhas resolved the last 7 of the 501 initially unaccounted-for laptops. We agree DSS has\ndemonstrated reasonable assurance that the 501 initially unaccounted-for laptops have been\naccounted for. Therefore, we removed the recommendations to continue to work with OPM\nto resolve remaining unaccounted-for laptops and implement steps to mitigate risk of\nunauthorized disclosure of PII. However, because 501 was not an accurate baseline,\nadditional laptops may still need to be accounted for. The Director also determined that the\nremaining seven unaccounted-for CACs were issued to former DSS employees after they\ntransferred to OPM and were not the responsibility of DSS. We agree that the remaining\nseven unaccounted-for CACs are not the responsibility of DSS and removed the\nrecommendation on CACs. The Director determined that through due diligence DSS has\nmitigated the risk of any possible unaccounted-for safes. We agree and removed the\nrecommendation on safes. See the Finding section for a discussion of management\ncomments and the Management Comments section for complete text of the comments.\n\n                                             ii\n\x0cTable of Contents\n\nExecutive Summary                                                      i\n\nBackground                                                             1\n\nObjectives                                                             4\n\nReview of Internal Controls                                            5\n\nFinding\n     Accounting for Assets With Personally Identifiable Information    6\n\nAppendixes\n     A.   Scope and Methodology                                       26\n     B.   Prior Coverage                                              28\n     C.   Review of Defense Property Accountability System Records    29\n     D.   Management Comments on the Finding and Audit Response       30\n     E.   Report Distribution                                         35\n\nManagement Comments\n     Under Secretary of Defense for Acquisition, Technology,          37\n        and Logistics\n     Director of Administration and Management                        39\n     Defense Security Service                                         41\n\x0c\x0cBackground\n           Defense Security Service Mission and Functions. The Defense Security Service\n           (DSS) provides the Secretary of Defense, the DoD Components, Federal Government\n           contractors, and 23 other Federal agencies with a full range of security support services.\n           These services include security education, security training, and technical services\n           involved in the industrial security clearance process. Prior to February 2005, DSS also\n           performed personnel security investigations (PSIs) for these organizations. DSS reports\n           to the Under Secretary of Defense for Intelligence. DSS is headquartered in Alexandria,\n           Virginia, and has field offices throughout the United States. Within DSS the person\n           responsible for property accountability is the Director, who has delegated this\n           responsibility to the property book officer.\n\n           Transfer of Functions From DSS to the Office of Personnel Management. In\n           FY 2003, the Deputy Secretary of Defense and the Director, Office of Personnel\n           Management (OPM) agreed to transfer responsibility for the PSI function from DSS to\n           OPM. DoD made this transfer to improve the timeliness of investigations, recognizing\n           the success that OPM and the private sector achieved in that area over the last several\n           years. The transfer was accomplished through two memoranda. The first memorandum\n           of understanding, dated January 24, 2003, expressed the intent of DoD and OPM to\n           obtain statutory authority to transfer the PSI function from DoD to OPM. The second\n           memorandum of agreement, \xe2\x80\x9cTransfer of Certain Elements of the U.S. Department of\n           Defense to the U.S. Office of Personnel Management,\xe2\x80\x9d October 16, 2004, identified the\n           number of personnel to transfer and detailed the costs of the transfer as well as the\n           responsibility for the personnel being transferred. Specifically, it stated that\n           approximately 1,800 employees who performed work related to the PSI function would\n           transfer to OPM. The memorandum also set the goal for OPM to manage the PSI\n           function by February 20, 2005. OPM requested DoD to provide support services on a\n           reimbursable basis for payroll, facilities, and information technology.\n\n           Assets Transferred. In February 2005, DSS transferred 1,567 1 PSI-related positions\n           and $33.8 million to OPM. In addition, DSS transferred common access cards (CACs), 2\n           approximately 1,483 laptops, and an undetermined number of safes and auxiliary hard\n           drives. As part of the transfer, OPM took over the responsibility for some of the former\n           DSS field offices located throughout the United States that performed PSIs.\n           Transfer Responsibilities. DoD established a 15-member transition team to coordinate\n           the PSI transfer to OPM. The team was charged with ensuring the transfer occurred by\n           February 2005 in accordance with the timelines established in the October 16, 2004,\n           memorandum of agreement. The Under Secretary of Defense for Intelligence approved\n           the transition team members, including the Deputy Under Secretary of Defense for\n           Counterintelligence and Security, the Acting DSS Director, the DSS Deputy Director of\n           Personnel Security, and the DSS Deputy Director of Industrial Security.\n\n\n1\n    The October 16, 2004, memorandum estimated that 1,800 employees would transfer to OPM; however, in\n    February 2005, only 1,567 employees actually transferred to OPM.\n2\n    The CAC is used as a general identification card as well as for authentication to gain access to DoD computers,\n    networks, and certain DoD facilities.\n\n\n\n                                                           1\n\x0c                   According to the Deputy Associate Director of OPM, the transition team and\n           OPM management entered into an informal, verbal agreement regarding the transfer of\n           assets. Specifically, they agreed that PSI investigators could take DSS laptops and\n           CACs with them to OPM to complete ongoing investigations. The intent was that the\n           investigators would return the laptops as well as their CACs to DSS when the ongoing\n           investigations were completed. In addition, DSS agreed to purchase auxiliary hard\n           drives for the transferring investigators to access OPM\xe2\x80\x99s automated system until they\n           completely transitioned to PSI cases originating through OPM. The informal, verbal\n           agreement also allowed OPM to take possession of an undetermined number of safes.\n\n           Guidance on Security of Personally Identifiable Information. Personally Identifiable\n           Information (PII) is defined in Office of Management and Budget (OMB) memorandum\n           M-06-19, \xe2\x80\x9cReporting Incidents Involving Personally Identifiable Information and\n           Incorporating the Cost for Security in Agency Information Technology Investments,\xe2\x80\x9d\n           July 12, 2006, as any information that can be used to trace an individual\xe2\x80\x99s identity. Since\n           2002, both DoD and OMB have issued policies on accountability for and security of PII.\n\n                   DoD Guidance on Accountability for Property. DoD Instruction 5000.64,\n           \xe2\x80\x9cDefense Property Accountability,\xe2\x80\x9d August 13, 2002, requires DoD Components to keep\n           accountable property records and transaction trails for all property that has an acquisition\n           cost greater than $5,000 or constitutes sensitive 3 or classified assets. The guidance also\n           discusses accountability requirements for assets lent to non-DoD agencies and\n           accountability for pilferable items (such as laptops). Specifically, it states that DoD\n           Components shall establish records and maintain accountability for property furnished to\n           such agencies or contractors.\n\n                   DoD Instruction 5000.64, \xe2\x80\x9cAccountability and Management of DoD-Owned\n           Equipment and Other Accountable Property,\xe2\x80\x9d November 2, 2006, replaced the\n           2002 version and allows DoD Components to assess the vulnerability of pilferable\n           property and determine how they will account for it. However, the revised instruction,\n           like the 2002 version, maintains that accountable property records should be established\n           for assets that are sensitive or classified and for assets that are transferred to other\n           Government agencies.\n\n                   Defense Property Accountability System. The Under Secretary of Defense for\n           Acquisition, Technology, and Logistics (USD[AT&L]) requires that DoD Components\n           use a fully operational property accountability system that meets Federal accounting\n           standards and can capture and maintain historical data. Further, the Under Secretary of\n           Defense (Comptroller)/ Chief Financial Officer designated the Defense Property\n           Accountability System (DPAS) as the property system for DoD.\n\n                  Office of Management and Budget Reporting Requirements. OMB\n           memorandum, \xe2\x80\x9cReporting Incidents Involving Personally Identifiable Information and\n           Incorporating the Cost for Security in Agency Information Technology Investments,\xe2\x80\x9d\n3\n    According to the Director of Administration and Management, Department of Defense Senior Privacy Official\n    Memorandum, \xe2\x80\x9cSafeguarding Against and Responding to the Breach of Personally Identifiable Information,\xe2\x80\x9d\n    September 21, 2007, PII is information about an individual that identifies, links, relates, or is unique to or\n    describes him or her. Examples of PII include but are not limited to Social Security number; age; military rank;\n    civilian grade; marital status; race; salary; home/office phone number; and other demographic, biometric,\n    personnel, and medical information. Although PII does not meet the strict definition of sensitive information in\n    DoD Instruction 5000.64, the Director of the Defense Privacy Office considers PII sensitive information.\n\n\n\n                                                           2\n\x0cJuly 12, 2006, requires that agencies report all incidents involving PII to the\nU.S.Computer Emergency Readiness Team (US-CERT), an organization within the\nDepartment of Homeland Security, within 1 hour of discovering them. Specifically, the\nJuly 12, 2006, memorandum states:\n       This memorandum revises those reporting procedures to now require agencies\n       to report all incidents involving personally identifiable information to US-\n       CERT within one hour of discovering the incident. You should report all\n       incidents involving personally identifiable information in electronic or physical\n       form and should not distinguish between suspected and confirmed breaches.\n       US-CERT will forward all agency reports to the appropriate Identity Theft\n       Task Force point-of-contact also within one hour of notification by an agency.\n\n        OMB requires prompt reporting to US-CERT so US-CERT can assess the\npotential impact on national security and quickly notify the proper authorities of\nbreaches that could affect national security. DoD Directive 5400.11-R, \xe2\x80\x9cDoD Privacy\nProgram,\xe2\x80\x9d May 14, 2007, defines a breach as the actual or possible loss of control, or\nunauthorized disclosure of or access to personal information such as Social Security\nnumber, a person\xe2\x80\x99s medical history, financial information, or criminal information. The\nmemorandum further states that an agency should report all breaches regardless of\nwhether they are suspected or confirmed. However, under US-CERT reporting\nrequirements, while an incident is under investigation to determine whether information\nwas compromised, the 1-hour reporting requirement is not applicable. According to a\nUS-CERT Official, when the investigation is complete, the agency should report the\nresults of the investigation to US-CERT. Once it receives a report of a breach,\nUS-CERT forwards the report to the Identity Theft Task Force, headed by the Attorney\nGeneral at the Department of Justice within 1 hour of the agency notifying US-CERT.\nPresident Bush established the Identity Theft Task Force to strengthen and improve the\nGovernment\xe2\x80\x99s ability to improve the Nation\xe2\x80\x99s awareness, prevention, detection, and\nprosecution of identity theft.\n\n        Office of the Secretary of Defense Guidance. The Director of the Defense\nPrivacy Office reports to the DoD Director of Administration and Management in the\nOffice of the Secretary of Defense (OSD). The Defense Privacy Office has\nresponsibility for developing policy, providing program oversight, and serving as the\nDoD focal point for DoD privacy matters. The DoD Director of Administration and\nManagement, who serves as the Senior Privacy Official for DoD, issued a memorandum,\n\xe2\x80\x9cSafeguarding Against and Responding to the Breach of Personally Identifiable\nInformation,\xe2\x80\x9d September 21, 2007, which implements the OMB requirements for\nreporting breaches to US-CERT. The memorandum states that, in addition to reporting\nto US-CERT, DoD Components must report both confirmed and unconfirmed breaches\nof PII to the Defense Privacy Office within 48 hours of becoming aware of them. The\nDefense Privacy Office requires prompt reporting so it can react quickly to breaches that\nhave high potential for causing harm, such as identity theft, to affected individuals.\n\n        The memorandum also requires the DoD Component that identifies the incident\nto determine the level of risk of harm, such as identity theft or the disclosure of\nembarrassing information that could affect one\xe2\x80\x99s reputation. Specifically, when a DoD\nComponent determines whether notifying the general public is necessary, the\nComponent should consider the likely harm and the likelihood of risk occurring. When\nassessing risk, the DoD Component should consider the following five factors:\n\n\n                                              3\n\x0c           \xe2\x80\xa2   the nature of the data elements breached,\n\n           \xe2\x80\xa2   the number of individuals affected,\n\n           \xe2\x80\xa2   the likelihood that the information is accessible and usable,\n\n           \xe2\x80\xa2   the likelihood that the breach may lead to harm, and\n\n           \xe2\x80\xa2   the ability of the agency to mitigate the risk of harm.\n\n           The memorandum also urges agencies to \xe2\x80\x9cbear in mind that notification of a\n    breach when there is little or no risk of harm might create unnecessary concern and\n    confusion.\xe2\x80\x9d The memorandum further states that the DoD Component will document its\n    assessment of the level of risk and its rationale for not notifying the public.\n\nObjectives\n    The objective of the audit was to determine whether DSS has adequate controls and\n    accountability to secure its assets that contain sensitive personal data including CACs,\n    safes, laptops, and hard drives. Specifically, we determined whether DSS properly\n    secured assets as part of the transition of the PSI function from DSS to OPM. In\n    addition, we reviewed the security of assets currently in the possession of DSS. See\n    Appendix A for a discussion of the scope and methodology and Appendix B for prior\n    audit coverage.\n\n\n\n\n                                             4\n\x0cReview of Internal Controls\n           We identified material internal control weaknesses for DSS property accountability as\n           defined by DoD Instruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control Program Procedures,\xe2\x80\x9d\n           January 4, 2006. Former DSS management deviated from DoD Instruction 5000.64\n           (both 2002 and updated 2006 versions) by not keeping a transaction trail for an\n           estimated 501 laptops and an undetermined number of safes and auxiliary hard drives\n           during the transfer of the PSI function from DSS to OPM. In addition, DSS deviated\n           from DSS internal guidance when it allowed 48 DSS employees to leave DSS without\n           collecting, deactivating, and disposing of their CACs. Although DSS has taken steps to\n           improve its property accountability system, the audit team\xe2\x80\x99s review of a sample of\n           property accounting records of electronic data devices from May to August 2007\n           indicated that only 23 of 50 property accounting records sampled were accurate. 4\n           Implementing Recommendations 1.a.-1.c. and 1.f. will improve property accountability\n           at DSS. DSS identified property accountability as a weakness needing correction in its\n           \xe2\x80\x9cMemorandum For the Secretary of Defense FY 2007 Annual Statement Required under\n           the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982,\xe2\x80\x9d August 20, 2007. To correct\n           the inventory control weaknesses, current DSS management has established these\n           planned objectives for FY 2008.\n\n                    \xe2\x80\xa2   Finalize and implement DSS policy and procedures for all categories of\n                        plant, property, and equipment.\n\n                    \xe2\x80\xa2   Complete an inventory of DoD property held by OPM and update DPAS.\n\n                    \xe2\x80\xa2   Complete an inventory of all items classified as sensitive property, and\n                        ensure items are properly accounted for in DPAS in accordance with DSS\n                        policy.\n\n                    \xe2\x80\xa2   Certify the inventory of sensitive property in DPAS.\n\n                    \xe2\x80\xa2   Verify that supporting documentation for reviews and inventories is\n                        generated and maintained in accordance with policy.\n           We will provide a copy of the report to the DSS office responsible for internal controls.\n\n\n\n\n4\n    The inventory reviews performed by the DoD IG audit team were limited to headquarters and field offices located\n    in Linthicum, Maryland.\n\n\n\n                                                          5\n\x0c                   Accounting for Assets With Personally\n                   Identifiable Information\n                   Through substantial efforts by current DSS management, the DoD Inspector\n                   General (IG) audit team, and OPM management to locate unaccounted-for assets,\n                   as of February 11, 2008, 308 out of an estimated 501 unaccounted-for laptops\n                   were recovered and confirmed by unique identifier. DSS obtained additional\n                   information demonstrating reasonable assurance that 186 of the remaining 193\n                   did not leave control of Government personnel; therefore PII contained on the\n                   laptops is not at risk. DSS continued efforts to locate the seven remaining\n                   laptops.\n\n                   A review of current DSS DPAS inventory records of information technology\n                   devices showed that, of a sample of 50 records reviewed, only 23 were accurate.\n                   DSS has recognized it has inaccurate inventory records and has documented\n                   corrective actions to be achieved in FY 2008.\n\n                   In addition, as of December 13, 2007, DSS could not fully account for seven\n                   CACs and an undetermined number of safes. 5\n                   This inability to locate property occurred because DSS management at the time\n                   of the transfer of the PSI function from DSS to OPM did not:\n\n                           \xe2\x80\xa2   plan for the transfer from DSS to OPM of assets related to the PSI\n                               function,\n\n                           \xe2\x80\xa2   define property accountability requirements or oversee the contractor\n                               hired to collect and return DSS laptops lent to OPM, or\n\n                           \xe2\x80\xa2   maintain accurate property accountability records for safes, laptops,\n                               and auxiliary hard drives during the transfer of the PSI function to\n                               OPM in accordance with DoD Instruction 5000.64.\n                   Current DSS management has not fully implemented planned improvements to\n                   property accountability.\n\n                   As a result, DSS management in place during the transfer created a lack of\n                   accountability for assets, posing an undue risk of compromising PII for military,\n                   civilian, and contractor employees who were investigated for personnel security\n                   clearances between 1997 and 2005. However, because DSS has demonstrated to\n                   the Defense Privacy Office that there is no indication that the unaccounted-for\n                   laptops have left Government control and the Defense Privacy Office has\n                   concluded that the risk of unauthorized disclosure of PII on unaccounted-for\n                   laptops was not high enough to warrant public notification of compromised PII,\n                   DSS did not issue a public notification. Although the Defense Privacy Office\n                   determined no public notification is warranted, a risk of unauthorized disclosure\n                   of PII still exists for the seven remaining unaccounted-for laptops.\n5\n    In February 2008 DSS determined that OPM issued 7 of the 55 CACs to former DSS employees after they\n    transferred to OPM.\n\n\n\n                                                       6\n\x0cAccountable Defense Security Service Property\n           The transfer of the PSI function from DSS to OPM included 1,567 people and\n           approximately 1,483 laptops. 6 During the transfer, DSS also purchased an\n           undetermined number of auxiliary hard drives for transferring DSS investigators. The\n           hard drives allowed the investigators to access documentation stored on OPM\xe2\x80\x99s\n           automated system for PSI investigations. In addition, DSS allowed 55 investigators to\n           retain their CACs after transferring to OPM to facilitate their continued access to DoD\n           facilities to complete ongoing investigations. DSS also allowed OPM to keep an\n           undetermined number of safes used by DSS investigators to hold sensitive and classified\n           information. According to the former Acting DSS Director, the transfer of assets was\n           based on verbal agreements between the Special Assistant to the former Acting DSS\n           Director and the OPM Director.\n\n           Laptops\n           Laptops Loaned to OPM. According to the former Assistant to the former Acting DSS\n           Director 7 and the Deputy Associate Director of OPM, the verbal agreement between\n           DSS and OPM included the loan of approximately 1,483 DSS laptops (valued at up to\n           $2.2 million) 8 to OPM so that former DSS PSI investigators could complete ongoing\n           investigations after transferring to OPM. According to the former Acting DSS Director,\n           the verbal agreement was that OPM would return the laptops 6 months after the\n           transfer. 9 However, OPM did not return all the laptops within 6 months. In fact, DSS\n           continued to receive more borrowed laptops a year after the 6-month agreement had\n           expired. Regardless of when they were returned, as DSS personnel received the laptops\n           from OPM, they did not always update their property accountability records.\n\n           At the time of the transfer, DPAS records indicated that DSS had an inventory of\n           approximately 2,826 laptops. According to DSS e-mail correspondence between the\n           former Acting Director\xe2\x80\x99s Special Assistant and an official at the OSD Comptroller, DSS\n           transferred 1,483 of the 2,826 laptops to OPM and instructed OPM to return them\n           6 months after the transfer (the remaining 1,343 were laptops retained for DSS use).\n\n           In December 2006 the Chief of DSS Support Services 10 had his staff perform queries of\n           DPAS records and concluded that DSS could not account for 501 of the 2,826 laptops\n           listed in DPAS. The audit team reviewed analysis performed by DSS staff of non-DPAS\n           inventory records and found that DSS transferred 249 of the 501 unaccounted-for\n           laptops to OPM and retained 252 for DSS operations. During the course of the audit,\n           the DoD IG audit team, DSS, and OPM personnel located 308 of the 501 unaccounted-\n           for laptops confirmed by unique identifier, leaving 193 other than physically accounted\n           for. Table 1 displays the DSS laptop inventory prior to the transfer and summarizes the\n\n6\n    Although 1,567 DSS employees transferred from DSS to OPM, not all DSS employees took DSS laptops with them.\n7\n    The Acting Director during the transfer served from 2004 to 2005.\n8\n    This calculation assumes an average cost of $1,500 per laptop.\n9\n    The agreement for OPM to return the laptops to DSS was extended at least three times, until April 1, 2006.\n10\n     The Chief of Support Services is no longer employed at DSS.\n\n\n\n                                                           7\n\x0c unaccounted-for laptops from the start of the audit in December 2006 through\n February 11, 2008.\n\n                           Table 1. DSS Laptop Inventory\n\n\n                             Related to                Unrelated to    Total DSS\n                               PSI                        PSI           Laptop\n                             Transfer                   Transfer       Inventory\n                              1,483                      1,343            2,826*\n\n\n       Unaccounted for                           501\n\n\n                             Related to       Unrelated to\n                               PSI               PSI\n                             Transfer          Transfer        Total\n                             249                 252            501\n       Physically\n       accounted for         133                 175            308\n\n       Other than physically\n       accounted for         116                  77            193\n\n*The 2,826 laptops are an estimate based on queries of DSS DPAS records of laptops\nthat DSS used during the transition period. Since DPAS records were not accurate, we\ncannot be certain that the 2,826 laptops are not understated or overstated.\n\n\n Although 116 of the 193 of the outstanding laptops were related to the transfer of the\n PSI function from DSS to OPM, 77 of the 193 unaccounted-for laptops were not related\n to the transfer of assets to OPM. The lack of accountability for laptops at DSS therefore\n is not solely a result of DSS transferring laptops to OPM, but also a result of DSS\n management not maintaining accurate records of their own laptops.\n\n During the course of the audit, the DoD IG audit team, DSS, and OPM personnel located\n 308 of the 501 unaccounted-for laptops through the following steps.\n\n         \xe2\x80\xa2   Between August 2006 and May 2007, DSS sent e-mails to all DSS\n             employees requesting that they identify any laptops in their custody by\n             unique identifier (serial number or bar code).\n\n         \xe2\x80\xa2   Between March and June 2007, DoD IG and DSS staff searched nine DSS\n             field offices.\n\n\n\n\n                                          8\n\x0c                   \xe2\x80\xa2    Between May and July 2007, DoD IG and OPM IG staff searched six OPM\n                        field offices.\n\n                   \xe2\x80\xa2    Between January 2007 and May 2008, DoD IG and DSS staff reviewed\n                        Defense Reutilization and Marketing Office (DRMO) and Directorate of\n                        Logistics documentation 11 to identify any laptops sent to DRMO offices for\n                        disposal or destruction.\n\n                   \xe2\x80\xa2    Between December 2006 and July 2007, DoD IG and OPM IG staff\n                        conducted interviews with former DSS and OPM property managers as well\n                        as former and current DSS and OPM employees listed in DPAS as the last to\n                        have custody of the unaccounted-for laptops.\n\n                   \xe2\x80\xa2    In August 2007, DSS convened a task force in response to the Deputy\n                        Secretary of Defense instruction to DSS to dedicate the resources necessary\n                        to locate the remaining unaccounted-for laptops.\n\n           Thanks to the joint efforts, as of February 11, 2008, 308 of the 501 laptops had been\n           located and confirmed by a unique identifier, reducing the laptops DSS could not\n           physically account for to 193. Table 2 shows the 308 laptops located and confirmed by\n           unique identifier.\n\n                            Table 2. Laptops Located as of February 11, 2008\n\n                   Laptops located at DSS headquarters                                       92\n\n                   Laptops located at DSS field offices                                      91\n\n                   Laptops located at OPM field offices                                      49\n\n                   Laptops located at DRMO sites                                             62\n\n                   Laptops located at commercial storage facility                            14\n\n                       Physically accounted-for laptops                                    308\n                       Other than physically accounted-for laptops                         186\n\n                       Laptops remaining to be accounted for                                  7\n\n                          Total                                                            501\n\n\n\n           Through the efforts of a DSS dedicated task force, DSS obtained information that\n           indicates 186 of the 193 laptops did not leave Government control. Therefore, PII on\n           those laptops may not be at risk of unauthorized disclosure. Specifically, DSS has\n           obtained the following information.\n11\n      The DRMO documentation reviewed included DD Forms 1348-1A, which DoD requires for turn-in of assets to\n     the DRMO.\n\n\n\n                                                       9\n\x0c\xe2\x80\xa2   DSS identified transaction trails in DPAS records that indicated 21 of the 193\n    laptops were incorrect entries in DPAS. The laptops were actually disposed\n    of at the DRMO.\n\n\xe2\x80\xa2   DSS located DRMO turn-in documents that did not list unique identifiers\n    such as serial numbers or barcodes but identified 65 laptops that DSS had\n    disposed of at DRMO locations where DSS field offices had closed.\n    According to DPAS records, DSS did not remove any laptops from the\n    property books during these time frames, indicating that the 65 laptops are\n    part of the 193 unaccounted-for laptops.\n\n\xe2\x80\xa2   DSS found DPAS records that showed that 55 of the remaining 193 laptops\n    may not have been used for PSIs and therefore may not have PII on them.\n\n\xe2\x80\xa2   DSS certified that 3 of the 193 unaccounted-for laptops were replaced under\n    warranty, but their records were not updated in DPAS.\n\n\xe2\x80\xa2   DSS located 42 hard drives from DSS and OPM field offices and matched\n    them with 42 of the 193 unaccounted-for laptops by linking employee names\n    contained on the hard drives to the employees that DPAS records showed\n    were assigned to the laptops.\n\n\xe2\x80\xa2   DSS also identified 4,369 hard drives that DSS and OPM disposed of\n    through the National Security Agency. However, because DSS disposed of\n    these hard drives and there were no records by unique identifier, DSS cannot\n    clearly determine whether any of them were part of the 501 unaccounted-for\n    laptops. In addition, DSS located 1,292 hard drives that DSS personnel are\n    currently analyzing; these hard drives will bring the total to 5,663. DSS\n    plans to dispose of the hard drives after completing the analysis.\n\n\n\n\n                                10\n\x0c        Table 3 shows the information provided by DSS regarding the remaining unaccounted-\n        for laptops.\n\n               Table 3. Summary of Remaining Laptops as of February 11, 2008\n\n         Unaccounted-for laptops                                                                        501\n\n         Located by unique identifier                                                                   308\n\n         Laptops not fully accounted for                                                                193\n\n         Laptops accounted for by other than unique identifier\n\n             Double counted in DPAS records                                                     21\n\n             Turned in to the DRMO without record of unique identifiers                         65\n\n             DPAS records show not used for PSIs                                                55\n\n             Replaced under warranty                                                             3\n\n             Accounted for by hard drive                                                        42\n\n                Subtotal                                                                                186\n\n                 Total unresolved laptops that may contain PII                                             7\n\n\n\n        In May 2008 DSS was able to resolve the remaining seven unaccounted-for laptops.\n        DSS determined that personnel keying serial numbers into DPAS made a typographical\n        error for each of the seven laptops. DSS compared DRMO turn-in documents and\n        Directorate of Logistics 12 turn-in documents with the laptop records in DPAS and found\n        that serial numbers for the seven laptops did not match the unique identifiers in DPAS\n        records but were only one digit off. As a result, laptops located and confirmed by\n        unique identifier as of May 2008 totaled 308; 193 were accounted for by other means.\n        According to DSS, the information presented demonstrates the previously unaccounted-\n        for laptops are not at risk of unauthorized disclosure of PII.\n\n        Accuracy of Current DSS Property Accountability. As part of the audit, the audit\n        team tested current DPAS records (including records of laptops and desktops) to\n        determine their accuracy as of May 2007. Using the same inventory record system used\n        to determine that DSS had 501 unaccounted-for laptops, we reviewed a random sample\n        of 50 current DPAS property records and performed a book-to-floor and floor-to-book\n        inventory to see if the DPAS records and the items in DSS staff members\xe2\x80\x99 possession\n        matched. The audit team found that only 23 of the 50 records (46 percent) were\n        accurate. As a result, the total of laptops unaccounted for, which DPAS records showed\n        was 501, could be higher or lower because the DPAS records at DSS were not accurate.\n12\n Directorate of Logistics is an activity within the Office of the Administrative Assistant to the Secretary of the\n Army responsible for providing logistics support to all DoD activities in the National Capital Region.\n\n\n\n                                                         11\n\x0c            The audit team used the 501 unaccounted-for laptops as a baseline for the laptop search\n            because it was the best information available when the audit began. See Appendix C for\n            additional explanation of the testing performed at DSS.\n\n            Reporting of Possible Breaches to US-CERT and the Defense Privacy Office. In\n            March 2007, the audit team met with an attorney from the office of the DSS General\n            Counsel and with the Deputy Director of US-CERT to discuss the unaccounted-for\n            laptops and to determine what steps DSS should take to comply with US-CERT\n            reporting requirements. DSS contacted US-CERT and the Defense Privacy Office in\n            March 2007. US-CERT and the Defense Privacy Office stated that, when DSS and the\n            DoD IG audit team exhausted their search for the unaccounted-for laptops, DSS should\n            report the incident to US-CERT and the Defense Privacy Office.\n\n            DSS reported the unaccounted-for laptops and mitigating information to the Defense\n            Privacy Office on January 10, 2008. 13 According to the Director of the Defense Privacy\n            Office, the risk of unauthorized disclosure of PII associated with the unaccounted-for\n            laptops was not high enough to warrant a public notification of a breach of PII. The\n            Director of the Defense Privacy Office added that, because there is no evidence that any\n            of the laptops or hard drives left Government control, notifying the public of a breach\n            would cause unnecessary alarm and panic. DSS also met with US-CERT on January 16,\n            2008, to report the unaccounted-for laptops and present additional information that DSS\n            believes mitigates the risk of unauthorized disclosure of PII.\n\n            According to the DSS Deputy Director, after considering the factors outlined in the\n            September 21, 2007, OSD Director of Administration and Management memorandum,\n            DSS determined that there was little or no likelihood that a breach of PII had occurred.\n            In making that determination, DSS considered there was no evidence any laptops or hard\n            drives were stolen or ever outside of Government control. Moreover, through its\n            ongoing search efforts, DSS continued to locate unaccounted-for laptops and hard\n            drives, and DSS management believed that it ultimately would be able to account for all\n            of the remaining laptops and hard drives. Because the risk of harm and the likelihood of\n            the risk occurring were low, DSS determined that public notification of a potential\n            breach would create unnecessary concern and confusion among those individuals who\n            may be affected by the potential breach. Therefore, in accordance with OMB and DoD\n            guidance, DSS concluded that public notification was not required.\n\n            Auxiliary Hard Drives\n            The DSS transition team agreed with OPM that DSS would purchase and permanently\n            transfer an undetermined number of auxiliary hard drives for DSS PSI investigators\n            transferring to OPM. The hard drives would afford access to OPM\xe2\x80\x99s Personnel\n            Investigations Processing System software. Although no written agreement existed\n            regarding the auxiliary hard drives, according to the DSS Chief of Support Services, the\n            intent was to allow OPM to keep the hard drives. DSS and OPM personnel were unable\n            to determine the number of auxiliary hard drives because, at the time of the transfer,\n\n\n13\n      On May 2, 2008, DSS provided the Defense Privacy Office with an updated briefing and provided the Director\n     of Administration and Management an updated memo for a determination regarding public notification (see a\n     scanned copy of the May 2, 2008, memorandum in the Management Comments section).\n\n\n\n                                                         12\n\x0c           DSS did not maintain a record of the purchase of the hard drives nor log the assets in\n           DPAS.\n\n           As further corroboration that the hard drives were intended to become permanent OPM\n           assets, in June 2007, the OPM Deputy Associate Director provided the DoD IG audit\n           team a memorandum certifying that:\n\n                   These secondary hard drives were not scheduled for return to DSS, and\n                   remained in the possession of OPM. OPM will continue to manage this as part\n                   of their equipment inventory, and will dispose of them when appropriate\n                   according to agency security standards.\n\n           The OPM certification, however, did not specify the number of auxiliary hard drives that\n           DSS purchased and transferred to OPM. According to interviews with the OPM Deputy\n           Associate Director and the former Acting Director at DSS, the auxiliary hard drives\n           were used only to access the OPM Personnel Investigations Processing System and\n           therefore did not contain PII collected at DSS. The hard drives contained PII related\n           only to OPM investigations and are under OPM control and responsibility. Although\n           DSS purchased the auxiliary hard drives, we have no indication that they were ever used\n           to access anything but OPM systems. Therefore, based on the verbal agreement and the\n           June 2007 OPM memorandum, OPM has accepted responsibility for the auxiliary hard\n           drives and any PII on them. Consequently, DSS is not responsible for the information\n           residing on the auxiliary hard drives.\n\n           CACs\n           In DoD, the Defense Manpower Data Center (DMDC) is responsible for managing and\n           issuing CACs. DMDC issues CACs for use by personnel as both a form of\n           identification to enter DoD facilities and a means of electronic authentication to obtain\n           access to DoD computer systems. According to the DSS \xe2\x80\x9cCommon Access Card\n           Procedures Within Defense Security Service,\xe2\x80\x9d January 2004, when DoD personnel leave\n           DoD for a non-DoD agency, they must turn in their CACs. Thus, DSS should have\n           collected the CACs from the personnel who transferred to OPM. In addition, according\n           to the \xe2\x80\x9cCertificate Policy for United States Department of Defense, Version 9.0,\xe2\x80\x9d\n           February 9, 2005, issued by the Assistant Secretary of Defense (Networks and\n           Information Integration)/DoD Chief Information Officer (ASD[NII]/CIO), DoD civilian\n           CACs must be electronically deactivated, meaning they can no longer be used to obtain\n           access to DoD computer systems when an employee leaves DoD for a non-DoD agency.\n           Thus, DSS should have contacted DMDC to deactivate the cards of the personnel who\n           transferred to OPM.\n\n           According to the DSS Chief of Security, as part of the transfer, DSS allowed former\n           DSS investigators to retain their CACs so they could access DoD facilities to complete\n           ongoing security investigations. OPM employees were to return the CACs on March 19,\n           2005, 1 month after the transfer. However, 2 years after the transfer, 55 CACs 14 were\n           still active. The Chief of Security, began working with DMDC and reconciling the\n\n\n14\n      In February 2008 DSS determined that OPM issued 7 of the 55 CACs to former DSS employees after they\n     transferred to OPM.\n\n\n\n                                                        13\n\x0cCACs in July 2006. In February 2007, DMDC electronically deactivated all 55\nremaining unauthorized CACs.\n\nDMDC determined that there were 55 former DSS employees with outstanding CACs.\nDMDC records showed that, of 1,567 DSS employees that transferred to OPM, 276 had\nCACs at the time of the transfer. Of the 276 CAC holders, 221 were authorized to retain\ntheir CACs after their transfer to OPM because they were also either military reservists\nor were affiliated with another part of the military. The remaining 55 of the 276 CAC\nholders should have turned their CACs in to DSS when they transferred from DSS to\nOPM, and DSS should have notified DMDC to electronically deactivate the CACs.\n\nAlthough all 55 CAC holders should have turned in their CACs at the time of the\ntransfer, according to OPM and DSS records, 21 of the 55 unauthorized cardholders\nended up gaining employment with other DoD agencies instead of OPM, and therefore\nwere permitted to keep their CACs. OPM collected and destroyed another 21 of the 55\nunauthorized CACs, and 6 of the employees exchanged their DoD CACs for affiliate\n(non-DoD) CACs. In February 2008 DSS determined the remaining seven CACs were\nissued to former DSS employees after they transferred to OPM and are the responsibility\nof OPM to collect.\n\nAs of May 2008, OPM management reported it had collected six of the seven CACs and\nwas continuing efforts to retrieve the remaining unaccounted-for CACs. Table 4 shows\nthe status of the cards.\n\n\n                      Table 4. Status of 55 DoD Civilian CACs\n\n                       Status of CACs                                Number of CACs\n DoD rehired individual associated with CAC                                     21\n OPM documented collection or destruction                                       21\n Individual exchanged DoD CAC for affiliate CAC                                  6\n    CACs DSS is responsible for                                                 48\n Issued to former DSS employees after they transferred to OPM                    7\n    Total                                                                       55\n\n\nSafes\nThe DSS Chief of Security explained that the DSS transition team provided OPM a\nnumber of safes as part of the transfer of the PSI function from DSS to OPM. However,\nthe Chief of Security could not provide the number of safes transferred to OPM because\nthe transfer was based on a verbal agreement between the transition team and the\nDirector at OPM.\n\nIn July 2007, the OPM Field Support Branch Chief provided the audit team a\ncertification that OPM had received 23 safes from DSS during the transfer and that none\nof the 23 safes contained sensitive or classified information. The certification further\nstated that the safes did not contain any DoD sensitive or classified material while in the\n\n\n                                        14\n\x0c    possession of OPM. Although OPM has certified it received 23 safes, the fact that DSS\n    cannot determine the number of safes transferred means there is a risk that additional\n    safes remain outstanding and that sensitive or classified information contained in those\n    safes is not under the control of either DSS or OPM. The DSS Chief of Security has\n    stated that any unaccounted-for safes are not a security concern because (1) OPM\n    certified that none of the safes transferred to OPM contained DSS sensitive or classified\n    material and (2) the safes remained in DSS offices taken over by OPM and were never\n    shipped to other locations. On the basis of these mitigating factors, we have determined\n    no additional action is needed regarding potentially unaccounted-for safes.\n\n\nPlanning and Maintaining Accountability for DSS Assets\n    As of February 11, 2008, DSS could not fully account for 193 laptops by unique\n    identifier because former DSS management did not:\n\n           \xe2\x80\xa2   plan for the transfer of assets from DSS to OPM during the transfer of the\n               PSI function;\n\n           \xe2\x80\xa2   define property accountability requirements or oversee the contractor hired to\n               collect and return DSS laptops lent to OPM; or\n\n           \xe2\x80\xa2   maintain accurate property accountability records for safes, laptops, and\n               auxiliary hard drives during and after the transfer of the PSI function to OPM\n               in accordance with DoD Instruction 5000.64.\n\n    In addition, current DSS management has not fully implemented planned improvements\n    to inventory accountability.\n\n    Planning for the Transfer of Assets From DSS to OPM. The former DSS\n    management at the time of the transfer did not properly plan for the transfer of assets\n    from DSS to OPM. The memorandum of understanding and memorandum of agreement\n    only defined the reassignment of DSS personnel to OPM and specified an associated\n    budget. The formal agreements did not indicate whether CACs, safes, laptops, and\n    auxiliary hard drives would transfer to OPM or whether OPM would transfer any of the\n    assets back to DSS.\n\n    Instead, according to the DSS Chief of Support Services, the former Directors of DSS\n    and OPM based the transfer of hundreds of CACs, laptops, auxiliary hard drives and\n    numerous safes on an informal, verbal agreement and did not document the number of\n    assets that would transfer temporarily or permanently to OPM. In addition, according to\n    the DSS Chief of Security, DSS management at the time of the transfer left key\n    personnel including him out of the decision-making process. In addition, DSS at the\n    time of the transfer did not fill the property book officer position when the previous\n    property book officer transferred to OPM. By not properly planning and documenting\n    the transfer of assets and responsibility for them, the former DSS and OPM Directors\n    put the PII of military and civilian employees who were investigated for security\n    clearances between 1997 and 2005 at risk. If even one laptop containing PII left the\n    control of the Government and fell into the hands of unauthorized users, it could cause\n    harm through identity theft or disclosure of PII. Because there was no formal\n\n\n                                           15\n\x0cdocumentation, subsequent and current DSS managers have been unable, despite\nconsiderable efforts, to determine what assets changed hands, what assets were returned\nto DSS, or what assets may be outstanding. The fact that the assets were unaccounted\nfor, coupled with the fact that they contained PII, created the risk of compromised PII.\n\nDefining the Contractor\xe2\x80\x99s Property Accountability Requirements. On\nAugust 10, 2004, DSS entered into a $4.7 million contract with MZM Incorporated\n(MZM) to assist DSS in the transfer of the PSI function from DSS to OPM. Because\nDSS did not have a contracting officer, DSS used the Defense Information Systems\nAgency to award and administer the contract. The DSS Director of Administration and\nManagement performed contracting officer representative responsibilities, including\nwriting the statement of work and performing contract oversight. The contract required\nMZM to provide assistance in closing DSS field offices that carried out the PSI function,\nprovide short-term storage of collected DSS assets, and then turn in the assets to the\nlocal DRMO. In addition, the statement of work listed the following requirements.\n\n       \xe2\x80\xa2   Maintain the DSS laptop inventory until the final transfer of functions to\n           OPM.\n\n       \xe2\x80\xa2   Maintain inventory listings as required by the Government.\n\n       \xe2\x80\xa2   Recommend disposition of nonserviceable items to the DRMO.\n\nAlthough the contract tasked MZM to maintain the DSS laptop inventory and maintain\ninventory listings as required by the Government, the contract did not assign MZM\nresponsibility for removing laptops from the DPAS inventory as they were disposed of\nat the DRMO, nor did the contract define what was required by the Government.\nInstead, the former DSS property book officer compensated for the lack of specific\nlanguage in the statement of work by providing MZM access to DPAS and instructing\nMZM to remove the laptops from the DPAS inventory as MZM shipped the laptops to\nthe DRMO for disposal or returned them to the DSS inventory.\nIn August 2004, MZM subcontracted the collection of laptops to Improsive\nTechnologies (Improsive) while MZM kept the responsibility for closing field offices.\nSpecifically, the statement of work listed the following requirements:\n       \xe2\x80\xa2   Maintenance of DSS laptop inventory, and\n\n       \xe2\x80\xa2   Disposition of nonserviceable equipment.\n\nLike the MZM contract, the Improsive subcontract did not contain any language\nregarding the removal of laptops from DPAS, nor did the subcontract define the\nrequirements for maintaining DSS laptop inventory or disposing of nonserviceable\nequipment.\n\nAlthough the subcontract did not specify the removal of laptops from DPAS, again the\nformer DSS property book officer provided Improsive access to DPAS and told\nImprosive to remove laptops from the DPAS inventory as Improsive collected them\nfrom OPM and sent them to the DRMO for disposal from August 13, 2004, to March 9,\n2006.\n\n\n\n                                       16\n\x0cAccording to an Improsive employee involved with the movement of laptops, as MZM\nclosed field offices, MZM sometimes shipped laptops to the DRMO without recording\ntheir disposal in DPAS. We found documents signed by an MZM employee for\n32 laptops that were turned in to the DRMO without being removed from DPAS\nrecords.\n\nIf DSS had performed proper planning before writing the statement of work and had\ntaken into consideration the importance of removing laptops from DPAS records, it\nwould have fewer unaccounted-for laptops. In addition, if DSS had performed adequate\noversight of the contract with MZM, DSS might have become aware of MZM shipping\nlaptops to the DRMO without making the appropriate entries in DPAS. DSS then might\nhave been able to take corrective actions to maintain accountability.\n\nMaintaining Accurate Records. DoD Instruction 5000.64 requires accountability and\ntransaction trails throughout an asset\xe2\x80\x99s life cycle. The Instruction requires DoD\nComponents to maintain accounting records of property lent to other Federal agencies,\nsuch as the laptops that DSS provided to OPM for the transfer of the PSI function.\n\n        Use of DPAS. DSS did not comply with DoD Instruction 5000.64 by not\nkeeping accountable records of laptops provided temporarily to OPM, or keeping a\ntransaction trail throughout the life cycle of the laptops, from acquisition to disposal. As\na result, DSS, OPM, and the DoD IG audit team had to search through hundreds of\nDRMO documents and conduct searches of field offices to locate 308 of the 501 laptops.\n\n         DPAS is a DoD-wide property accountability system designed to track assets\nthroughout their life cycle. DPAS provides an audit trail in accordance with DoD\nInstruction 5000.64, which requires that data elements such as unique identifiers be\nincluded in the property system of record. DPAS allows users to process accountable\nrecords by documenting receipts and turn-ins and tracking inventory. DSS lacked\naccurate records for the laptops because DSS did not consistently use DPAS to account\nfor its laptops. Instead, DSS used a combination of DPAS and electronic spreadsheets.\nDSS used the electronic spreadsheets after its property book officer transferred to OPM,\nleaving no one with a working knowledge of DPAS. The electronic spreadsheets were\nnot designed to capture information necessary to provide an audit trail, such as the\nspecific person responsible for the laptop or the actual location of the laptop. For\nexample, of the 308 laptops located, 41 were located at DSS headquarters but were\ninitially listed as unaccounted for because entries for them were not in DPAS but on\nseparate electronic spreadsheets.\n\n        Use of Unique Identifiers. According to the DSS Deputy Director, DoD\nInstruction 5000.64 does not explicitly require that laptops be tracked by a unique\nidentifier. He is correct that DoD Instruction 5000.64 is not specific about laptops;\nhowever, it does state that items that are sensitive should be tracked by unique identifier.\nAnd because the Defense Privacy Office considers PII sensitive information, to be\ncautious, laptops should be tracked using a unique identifier. In fact, to clarify any\nmisinterpretation that DoD Components may have regarding tracking laptops by unique\nidentifier, the audit team met with a property accountability specialist in the Office of\nthe USD(AT&L) and discussed clarifying DoD Instruction 5000.64 by explicitly stating\nthat laptops must be tracked by unique identifier. The author of guidance in\nUSD(AT&L) was agreeable to clarifying the guidance.\n\n\n\n                                        17\n\x0c       DSS turned in at least 122 laptops to the DRMO that could not be identified by\nunique identifier, in part because USD(AT&L) guidance did not require DoD\nComponents to include unique identifiers on DRMO turn-in documents. Consequently,\nDSS did not always include unique identifiers on laptops they turned in to the DRMO.\nFor example, one of the DRMO turn-in documents included 78 laptops without listing\nunique identifiers. Had USD(AT&L) required DSS to include unique identifiers on\nDRMO turn-in documents, DSS may have been able to provide clearer evidence that it\ndisposed of the laptops through the DRMO.\n\n        Clarifying Guidance. Over the past 5 years, incidents involving the potential\ncompromise of PII on laptops have become more prevalent in the Federal Government.\nFor example, in 2002 the Federal Bureau of Investigation lost 317 laptops, resulting in a\nPII breach. In 2006, the Department of Veterans Affairs reported a breach of\ninformation related to a stolen laptop that contained PII on over 26.5 million veterans.\nAccording to the Department of Veterans Affairs, the cost of the breach could be as\nmuch as $500 million. As a result, it is imperative that DoD Components provide\nelectronic protection and physical accountability, and know how to respond to a breach\nof PII. To address these issues, multiple DoD offices have issued clarifying policies.\nThe ASD(NII)/CIO, USD(AT&L), and the OSD Director of Administration and\nManagement have issued the following guidance on the electronic security, physical\nsecurity, and notification of breaches of PII.\n\n       \xe2\x80\xa2   On July 3, 2007, the ASD(NII)/CIO issued \xe2\x80\x9cEncryption of Sensitive\n           Unclassified Data at Rest on Mobile Computing Devices and Removable\n           Storage Media Used Within DoD,\xe2\x80\x9d which addresses encryption of sensitive\n           information on mobile computing devices such as laptops.\n\n       \xe2\x80\xa2   On November 2, 2006, USD(AT&L) issued DoD Instruction 5000.64,\n           \xe2\x80\x9cAccountability and Management of DoD-Owned Equipment and Other\n           Accountable Property,\xe2\x80\x9d which addresses accountability for DoD-owned\n           equipment.\n       \xe2\x80\xa2   On September 21, 2007, the OSD Director of Administration and\n           Management issued the memorandum, \xe2\x80\x9cSafeguarding Against and\n           Responding to the Breach of Personally Identifiable Information,\xe2\x80\x9d which\n           addresses reporting breaches of PII.\n       To provide a seamless source of instruction on how to protect PII on mobile\ncomputing devices such as laptops, the ASD(NII)/CIO, the USD(AT&L), and the\nDirector of the Defense Privacy Office met on August 29, 2007, to discuss the issuance\nof a memorandum to direct DoD managers to the proper guidance that will address all\naspects of protecting sensitive and classified information on mobile computing devices.\nThe Director of the Defense Privacy Office verbally agreed to take the lead on\ndeveloping the guidance. However, a specific deadline for issuance of the guidance has\nnot been established.\n\n        Current DSS Inventory. Current DSS management inherited inaccurate\ninventory records from previous management. However, at the time of this audit,\ncurrent DSS management had not fully implemented planned improvements to inventory\naccountability. Based on a review of a sample of DSS inventory records, we determined\nthe records remained inaccurate. Specifically, of the 50 DPAS employee custodial\n\n\n                                       18\n\x0c           records we reviewed, only 23 were accurate. The book-to-floor and floor-to-book\n           inventory review performed by the audit team identified inventory items assigned to\n           DSS employees that DSS could not locate. In addition, the audit team identified assets\n           in the possession of DSS employees that DSS did not list in DPAS. Because of the\n           long-standing inaccuracies in the DSS inventories, the reliability of the totals of\n           unaccounted-for laptops and other assets remains in question.\n\n                   Current DSS management recognizes that the agency\xe2\x80\x99s inventory records are not\n           accurate and reported this as a weakness in the DSS \xe2\x80\x9cMemorandum for the Secretary of\n           Defense FY 2007 Annual Statement Required Under the Federal Managers\xe2\x80\x99 Financial\n           Integrity Act of 1982,\xe2\x80\x9d August 20, 2007. Current DSS management listed the following\n           objectives to improve accountability for agency assets.\n\n                    \xe2\x80\xa2   Finalize and implement DSS policy and procedures for all categories of\n                        plant, property, and equipment in first quarter of FY 2008.\n\n                    \xe2\x80\xa2   Complete inventory of DoD property held by OPM and update DPAS in first\n                        quarter of FY 2008.\n\n                    \xe2\x80\xa2   Complete inventory of all items classified as sensitive property and ensure\n                        items are properly accounted for in DPAS in accordance with DSS policy in\n                        second quarter of FY 2008.\n\n                    \xe2\x80\xa2   Certify DSS inventory of sensitive property in DPAS in third quarter of\n                        FY 2008.\n\n                    \xe2\x80\xa2   Verify that supporting documentation for reviews and inventories is\n                        generated and maintained in accordance with policy in third quarter of\n                        FY 2008.\n\n\nRisk of Compromised PII\n           Accountability for assets such as CACs, safes, laptops, and auxiliary hard drives that\n           contain PII is critical to reduce the risk that those assets can be compromised and the\n           information used inappropriately. During the transfer of the PSI function from DSS to\n           OPM in February 2005, DSS management did not define the parameters for transferring\n           the assets to OPM along with 1,567 former DSS staff members. And during the transfer,\n           DSS did not take the necessary steps to accurately account for the assets. DSS\n           management since the transfer has not completed steps to improve asset accountability.\n           As a result, at the outset of this audit, DSS could not account for at least 55 CACs, 15\n           501 laptops, and an undetermined number of safes and auxiliary hard drives. Since then\n           DSS has been able to resolve the 55 CACs, show evidence that the 501 laptops had not\n           left Government control, and perform significant due diligence to resolve accountability\n           issues related to unaccounted-for safes.\n\n\n\n15\n      In February 2008 DSS determined that OPM issued 7 of the 55 CACs to former DSS employees after they\n     transferred to OPM.\n\n\n\n                                                        19\n\x0c           Laptops. Although at the beginning of the audit DSS could not locate 501 laptops, the\n           efforts of DSS, OPM, and the DoD IG resulted in physically locating 308 laptops, and\n           accounting for the remaining 193 by other means as of May 2008. DSS management in\n           place during the transfer created a lack of accountability for assets, posing an undue risk\n           of compromising PII for military, civilian, and contractor employees investigated for\n           personnel security clearances between 1997 and 2005. To date, no evidence has come to\n           light to indicate that the laptops have left the Government or that PII has been\n           compromised. Still, the potential for compromise occurred. For example, in October\n           2007 DSS located 14 laptops in a secured, caged area of a commercial storage facility in\n           California used by MZM while closing DSS field offices. However, neither DSS nor\n           MZM had paid the monthly storage fees in over a year, and DSS has no proof that those\n           14 were the only laptops placed in the storage facility. It is unclear whether DSS has\n           had full control over all its laptops and the PII contained on them.\n\n           Of further concern is the extent of PII maintained on the laptops. The audit team\n           performed a forensic review on a sample of the recovered laptops. We determined that\n           data contained on the hard drives was easily accessible without a password. Based on a\n           limited review of 33 recovered hard drives, the audit team found PII ranging from as\n           early as 1997 to as late as 2005. Although the DoD IG audit team found no evidence of\n           compromised PII, the lack of accountability caused by DSS management in place during\n           the transfer posed a risk of compromising PII of military, civilian, and contractor\n           employees. However, continued efforts by DSS current management have shown the\n           remaining unaccounted-for laptops have not left the Government, reducing the risk of\n           compromise of PII on those devices to low or none.\n\n           CACs. In February 2005, DSS allowed 55 DSS employees to leave DoD without\n           collecting and deactivating the employees\xe2\x80\x99 CACs. However, in July 2006, once made\n           aware of the issue, DSS did take steps to have DMDC deactivate all 55 CACs. DSS and\n           DMDC took steps to deactivate all 55 outstanding CACs, of which DSS and OPM\n           collected 48. The remaining seven CACs were issued to former DSS employees after\n           they had left DSS and therefore are OPM\xe2\x80\x99s responsibility to collect.\n           Safes. According to the DSS Chief of Security, DSS could not determine the number of\n           safes transferred to OPM. However, the OPM Chief of Field Support Services certified\n           that OPM received 23 safes and that the safes did not contain any DoD sensitive or\n           classified information while they were in the possession of OPM.\n           To determine the accuracy of the current inventory of DSS safes, we performed a review\n           at DSS headquarters and DSS field offices. 16 Although DSS could not determine the\n           number of safes it transferred to OPM, the DSS inventory records at the time of our\n           review matched the physical inventory at headquarters in Alexandria, Virginia, and at\n           field offices in Chantilly, Virginia; Huntington Beach, Pasadena,\n           San Diego, and Sunnyvale, California; and Linthicum, Maryland. The Chief of Security\n           has ultimate responsibility for safes at DSS and is working with the DSS property book\n           officer to update DPAS records to include a DSS-wide inventory of safes.\n\n           Internal Controls Over DSS Assets. DSS continues to experience difficulties in\n           accounting for assets that were not part of the transfer to OPM. Specifically, only\n\n16\n      The DoD IG inventory review of safes was performed separately from the DoD IG inventory review of laptops\n     and desktops in DPAS.\n\n\n\n                                                        20\n\x0c    46 percent of DPAS records of laptops and desktops we reviewed were accurate. DSS\n    must improve controls over and accountability for assets currently in its possession.\n    Although it is clear that DSS inherited inaccurate accounting records, DSS is responsible\n    for putting controls in place that will help ensure property accountability.\n\n\nActions Taken by DSS\n    Current DSS management has worked diligently to account for the unaccounted-for\n    assets, particularly the laptops that potentially contained PII. Through joint efforts,\n    308 of an estimated 501 laptops have been located and confirmed by unique identifier.\n    DSS has obtained evidence that the remaining 193 laptops have remained in\n    Government control. Although some risk exists because the initial baseline of\n    501 laptops was not accurate, DSS has worked with Defense Privacy Office and\n    US-CERT officials, who have concluded that because of DSS continued efforts, the risk\n    of unauthorized disclosure of PII is not high enough to warrant a public notification of a\n    breach of PII. In addition, DSS demonstrated that as of February 2007 all 55 CACs had\n    been deactivated, and as of February 2007, the remaining CACs that were the\n    responsibility of DSS had been physically collected.\n\n    Current DSS management inherited a property accountability process that lacked\n    adequate internal controls. We commend DSS management for taking steps to improve\n    controls over property accountability. Specifically, in spring 2007, DSS began\n    reconciling DPAS records and issuing hand receipts for DSS assets including laptops.\n    In addition, the property book officer wrote new draft guidance that requires DSS to\n    perform a physical inventory every year. This requirement is more stringent than DoD\n    Instruction 5000.64, which requires DoD Components to perform a physical inventory\n    every 3 years. DSS began performing an inventory review in August 2007, and\n    managers continued to gather information through May 2008. They showed with\n    reasonable certainty that the remaining unaccounted-for laptops have not left the control\n    of the Government and that the risk of unauthorized disclosure of PII is reduced.\n\n    In response to the draft report, the Director stated DSS management continued to\n    improve inventory records at DSS by conducting regular inventories that included a\n    100-percent inventory between March and December 2007. The Director also stated\n    DSS implemented new procedures for procuring, receiving, and accounting for property.\n    The procedures include capturing all information technology equipment in DPAS. The\n    Director further stated she added a team leader and five support staff to DSS Support\n    Services, the office responsible for keeping accurate property records. In addition, DSS\n    management is preparing an operating instruction that will accompany DSS\n    Regulation 15-2, \xe2\x80\x9cProperty Management.\xe2\x80\x9d\n\n\n\n\n                                            21\n\x0cManagement Comments on the Finding and Audit Response\n  Please see Appendix D for management comments and audit responses on the finding.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n  Revised, Deleted, and Renumbered Recommendations. As a result of new evidence\n  provided by DSS management that showed the remaining 7 of the 501 initially\n  unaccounted for laptops had not left the control of the Government; and the remaining\n  7 unaccounted for common access cards were issued to former DSS employees after\n  they left DSS, we have deleted draft Recommendations 1.f.,1.g.,1.h. In addition, based\n  on mitigating risk factors related to potential unaccounted for safes we removed\n  recommendation 1.i. and renumbered the other parts of Recommendation 1. accordingly.\n  We also revised Recommendation 3. to clarify its intent.\n\n  1. We recommend that the Director, Defense Security Service assign appropriate\n  personnel to:\n\n      a. Maintain an audit trail showing all transactions from acquisition to disposal\n  for assets that contain sensitive or classified information in accordance with DoD\n  Instruction 5000.64, \xe2\x80\x9cAccountability and Management of DoD-Owned Equipment\n  and Other Accountable Property,\xe2\x80\x9d November 2, 2006.\n\n  Management Comments. The Director, Defense Security Service concurred and\n  explained that the DSS Property Management Regulation became effective on\n  February 8, 2008. The regulation assigns responsibilities at all levels for the\n  management and accountability of DSS assets throughout each asset\xe2\x80\x99s life cycle. In\n  addition, DSS management is developing Property Management Operating Instructions\n  that further define processes and procedures for accountability and management of DSS\n  property, plant, and equipment. The Director expects to publish the operating\n  instructions in the third quarter of FY 2008. Finally, the Director stated that on March\n  31, 2008, she had detailed a full-time employee to help integrate the Chief Information\n  Officer inventory spreadsheet into DPAS and provide guidance to the Chief Information\n  Officer for the life-cycle management of and accountability for information technology\n  assets.\n\n  Audit Response. The Director, Defense Security Service comments were responsive.\n  Developing and implementing the DSS Property Management Regulation and Operating\n  Instructions, combined with conducting physical inventories as discussed in\n  Recommendation 1.b., will help DSS maintain an audit trail in accordance with DoD\n  Instruction 5000.64. No additional comments are needed.\n\n     b. Conduct a periodic physical inventory of laptops and other assets that\n  contain personally identifiable information.\n\n  Management Comments. The Director, Defense Security Service concurred and\n  explained that, in addition to requiring a 100-percent physical inventory of all DSS\n\n\n                                         22\n\x0c   property, plant, and equipment, DSS will also perform random spot inventories,\n   verifying hand receipts and physical equipment. DSS management is seeking vendors\n   that conduct physical inventory services and plans to have the first inventory\n   reconciliation completed and property books transferred to a new property book officer\n   in the first quarter of FY 2009.\n\n   Audit Response. The Director, Defense Security Service comments were responsive.\n   The actions taken and planned meet the intent of the recommendation, and no additional\n   comments are needed.\n\n      c. Track assets that contain personally identifiable information using a unique\n   identifier, such as a serial number or bar code.\n\n   Management Comments. The Director, Defense Security Service concurred and plans\n   to track all assets that could contain PII by using a serial number and barcode in DPAS\n   throughout the assets\xe2\x80\x99 life cycle.\n\n   Audit Response. The Director, Defense Security Service comments were responsive.\n   The actions taken by the Director meet the intent of the recommendation, and no\n   additional comments are needed.\n\n       d. Report any future confirmed or unconfirmed instances of unauthorized\n   disclosure of personally identifiable information to U.S. Computer Emergency\n   Readiness Team and the Defense Privacy Office in accordance with Office of\n   Management and Budget memorandum M-06-19, \xe2\x80\x9cReporting Incidents Involving\n   Personally Identifiable Information and Incorporating the Cost for Security in\n   Agency Information Technology Investments,\xe2\x80\x9d July 12, 2006, and with DoD\n   Directive 5400.11-R, \xe2\x80\x9cDoD Privacy Program,\xe2\x80\x9d May 14, 2007.\n\n   Management Comments. The Director, Defense Security Service concurred, stating\n   DSS would continue to comply with Office of Management and Budget and DoD\n   requirements for potential breach or compromise of PII.\n   Audit Response. The Director, Defense Security Service comments were responsive,\n   and no additional comments are needed.\n      e. Establish guidelines and training that DSS employees must follow to protect\n   personally identifiable information from unauthorized disclosure.\n\n   Management Comments. The Director, Defense Security Service concurred, stating\n   DSS would create PII protection training and make it part of the DSS New Employee\n   Orientation Program. DSS will also include protection of PII as an annual training\n   requirement. DSS expects to have the first training iteration ready by June 30, 2008.\n\n   Audit Response. The Director, Defense Security Service comments were responsive.\n   The actions taken by DSS meet the intent of the recommendation, and no additional\n   comments are needed.\n\n   f. Issue guidance that requires Defense Security Service to perform a physical\ninventory every year in compliance with DoD Instruction 5000.64.\n\n\n\n                                          23\n\x0cManagement Comments. The Director, Defense Security Service concurred. She\nstated that DSS Regulation 15-2, \xe2\x80\x9cProperty Management,\xe2\x80\x9d took effect on February 8,\n2008. She said the guidance would be supplemented with more specific processes and\nprocedures in the near future.\n\nAudit Response. The Director, Defense Security Service comments on the\nrecommendation were responsive. The actions taken and planned by DSS meet the\nintent of the recommendation, and no additional comments are needed.\n\n2. We recommend that the Under Secretary of Defense for Acquisition,\nTechnology, and Logistics:\n\n    a. Add clarifying language to DoD Instruction 5000.64 stating that the policy\napplies to mobile computing devices, including but not limited to laptops, mobile\ninformation storage devices, and auxiliary hard drives, regardless of dollar\nthresholds.\n\nManagement Comments. The Director, Acquisition Resources and Analysis,\nresponding for the Under Secretary of Defense for Acquisition, Technology, and\nLogistics, concurred. She stated that DoD Instruction 5000.64 will be revised to clarify\nproperty accountability and management guidance for information technology property\nitems that contain personally identifiable information.\n\nAudit Response. Management comments were responsive, and no additional comments\nare needed.\n\n   b. Require that all DoD Components include unique identifiers on Defense\nReutilization and Marketing Office turn-in documents when disposing of laptops\nand other electronic devices that may contain personally identifiable information.\n\nManagement Comments. The Director, Acquisition Resources and Analysis,\nresponding for the Under Secretary of Defense for Acquisition, Technology, and\nLogistics, partially concurred. She stated that they agree with the objective and intent of\nthe recommendation. However, she suggested that guidance in two documents not\ncaptured in the report may eliminate the need for the recommendation. The documents\nare:\n\n       \xe2\x80\xa2   Deputy Secretary of Defense Directive Memorandum, \xe2\x80\x9cDisposition of\n           Unclassified DoD Computer Hard Drives,\xe2\x80\x9d May 29, 2001; and\n\n       \xe2\x80\xa2   Assistant Secretary of Defense for Command, Control and Communications\n           Memorandum, \xe2\x80\x9cDisposition of Unclassified DoD Computer Hard Drives,\xe2\x80\x9d\n           June 4, 2001.\nThese two memoranda require that all hard drives of unclassified computer equipment\nleaving the custody of DoD be sanitized and certified that the sanitization process\noccurred.\n\nAudit Response. Management comments were not responsive. Although the two\nmemoranda listed above address the removal of information from hard drives and the\ndestruction of hard drives, the memoranda do not address accountability for DoD\n\n\n                                        24\n\x0claptops as they are turned in to the DRMO for disposition. Therefore, the two\nmemoranda do not meet the intent of the recommendation.\n\nRequiring DoD Components to list unique identifiers (serial numbers) on DRMO turn-in\ndocuments would complete the transaction trail, showing evidence the laptop was\nproperly disposed of. Conversely, not listing laptops by unique identifier on the DRMO\nturn-in document makes it impossible to document that specific laptops were turned in\nto the DRMO. For example, DSS and the DoDIG audit team reviewed turn-in\ndocuments showing 65 laptops were disposed of at DRMO locations. However, DSS\ncould not clearly determine whether the laptops were part of the 501 unaccounted-for\nlaptops because the DRMO turn-in documents lacked a unique identifier. We request\nthat the Under Secretary of Defense for Acquisition, Technology, and Logistics\nreconsider his position on Recommendation 2.b. and provide additional comments in\nresponse to the final report.\n\n3. We recommend that the Director of the Defense Privacy Office continue working\nwith the Office of the Assistant Secretary of Defense (Networks and Information\nIntegration)/DoD Chief Information Officer and the Office of the Under Secretary\nof Defense for Acquisition, Technology, and Logistics to issue a memorandum to all\nDoD managers identifying all guidance pertaining to protecting personally\nidentifiable information, responding to breaches of personally identifiable\ninformation, and accounting for assets.\n\nManagement Comments. The Senior Agency Official for Privacy did not concur with\nthe draft recommendation that the Defense Privacy Office continue working with the\nOffice of the Assistant Secretary of Defense (Networks and Information\nIntegration)/DoD Chief Information Officer and the Office of the Under Secretary of\nDefense for Acquisition, Technology, and Logistics to develop overarching guidance on\nthe protection of PII on mobile computing devices because such guidance would only\nconfuse them.\n\nAudit Response. Based on management comments, we revised the draft\nrecommendation to develop overarching guidance. The intent of the recommendation\nwas not to reissue or rewrite or even summarize existing guidance, but to tell DoD\nmanagers which guidance they should follow when protecting PII, accounting for assets\nthat are sensitive, and reporting a potential breach of PII. The purpose of the\nmemorandum is to have one document that directs DoD managers to all the proper\nguidance for electronic protection, accountability, and reporting of breaches\xe2\x80\x94guidance\nthat has been written by different DoD Components. The memorandum would help\nensure that DoD managers are aware of and follow all the proper guidance and\nprocedures when handling PII and sensitive assets. We request that the Director of the\nDefense Privacy Office respond to the revised recommendation in comments on the final\nreport.\n\n\n\n\n                                      25\n\x0cAppendix A. Scope and Methodology\n   We conducted this performance audit from November 2006 through May 2008 in\n   accordance with generally accepted government auditing standards. These standards\n   require that we plan and perform the audit to obtain sufficient, appropriate evidence to\n   provide a reasonable basis for our findings and conclusions based on our audit\n   objectives. We believe that the evidence obtained provides a reasonable basis for our\n   findings and conclusions based on our audit objectives.\n\n   We reviewed DSS controls over assets that contain sensitive personal data or PII. For\n   purposes of this audit, assets included laptops, hard drives, CACs, and safes. We\n   interviewed DSS and OPM personnel involved with the transfer of the PSI function to\n   OPM to determine the procedures they used to account for laptops, hard drives, CACs,\n   and safes transferred. We exhausted all leads stemming from these interviews in our\n   search to account for the unaccounted-for laptops, CACs, and safes. Additionally, we\n   performed a book-to-floor-inventory and floor-to-book-inventory to evaluate the\n   reliability of DSS records of current assets.\n\n   Laptops. We interviewed the former DSS Chief of Support Services, former Improsive\n   personnel, the former DSS Assistant to the former Acting Director, the DSS Supply\n   Management Specialist, the former DSS Property Manager, and former DSS Acting\n   Directors to find out what happened to the laptops during the PSI function transfer. We\n   reviewed documentation from DSS and OPM personnel to determine possible locations\n   of laptops. We reviewed turn-in documents to identify those laptops transferred to other\n   agencies. We coordinated with the OPM Deputy Associate Director to obtain\n   certifications from DSS employees who became OPM employees as to the status of their\n   laptops. We reviewed the certifications to determine the last known individual and /or\n   location associated with each laptop and followed each piece of information until we\n   exhausted all leads.\n\n   To search for unaccounted-for laptops, we conducted site visits to DSS offices in\n   Alexandria and Chantilly, Virginia; Smyrna, Georgia; Huntington Beach, Pasadena, San\n   Diego, and Sunnyvale, California; Columbus, Ohio; and Linthicum, Maryland. We also\n   coordinated with the OPM Chief of Internal Audits Group to visit OPM locations in\n   Boyers, Pennsylvania; Long Beach, California; Ft. Meade, Maryland; Smyrna, Georgia;\n   St. Louis, Missouri; and Virginia Beach, Virginia.\n\n   We coordinated with the Defense Criminal Investigative Service to search pawn shops\n   in cities identified as having the most unaccounted-for laptops. Investigators searched\n   pawn shops in the District of Columbia metropolitan area and in Maryland, Texas,\n   California, Florida, and Virginia.\n\n   We judgmentally selected a sample of 33 hard drives pulled from located laptops that\n   were originally included in the 501 unaccounted-for computers. The DoD IG Defense\n   Criminal Investigation Service performed a forensics review of the 33 hard drives to\n   determine whether they contained PII. Seventeen of the thirty-three hard drives did\n   contain PII.\n\n\n\n\n                                           26\n\x0cCACs. We interviewed the DSS Chief of Security to determine the procedures used to\naccount for, collect, and terminate the CACs issued to PSI agents who transferred to\nOPM. We verified the information with DMDC and the OPM Chief of Field Support.\n\nSafes. We interviewed the DSS Chief of Support Services, the DSS Chief of Security,\nand the OPM Federal Investigative Services Program Manager to account for safes\ntransferred from DSS to OPM and to determine what controls DSS has in place over\nsafes.\n\nPolicy. We reviewed DoD policies, regulations, and guidance applicable to property\naccountability and the safeguarding of assets and sensitive information. We interviewed\nofficials from ASD(NII)/CIO, Department of Homeland Security, USD(AT&L) and the\nDoD Privacy Office to determine additional criteria applicable to property\naccountability, security of assets, and incident reporting.\n\nUse of Computer-Processed Data. We used computer-processed data from DPAS to\nidentify the 501 laptops that DSS could not account for. Our review of DPAS records\nindicated that property records in DPAS were not always accurate; therefore, we cannot\nbe certain that 501 is the correct number of unaccounted-for laptops at DSS. We used\ncomputer-processed data from the Defense Enrollment Eligibility Reporting System to\nidentify the CACs that DSS could not account for. We did not assess the reliability of\nthe data from the Defense Enrollment Eligibility Reporting System, but have no reason\nto suspect that the data are inaccurate.\n\nScope Limitation. We obtained information from DSS that indicated as many as\n193 laptops that were other than physically accounted for were not at risk of\nunauthorized disclosure. Although we documented the DSS methodology for obtaining\nthe information, because we obtained the information after we completed our\nfieldwork, we did not verify all of the supporting data.\n\nUse of Technical Assistance. We obtained assistance from our Quantitative Methods\nDivision in selecting a sample of DPAS records to assess the accuracy of the DSS\nproperty inventory.\n\nGovernment Accountability Office High-Risk Area. The Government\nAccountability Office has identified several high-risk areas in the Department of\nDefense. This report provides coverage of the business transformation high-risk area\nspecifically, the security clearance program and contract management.\n\n\n\n\n                                      27\n\x0cAppendix B. Prior Coverage\n      During the last 5 years, the Government Accountability Office (GAO) and DoD IG have\n      issued 7 reports related to adequate controls and accountability to secure assets that\n      contain sensitive personal information. Unrestricted GAO reports can be accessed over\n      the Internet at http://www.gao.gov. Unrestricted DoD IG reports can be accessed at\n      http://www.dodig.mil/audit/reports.\n\nGAO\n      GAO Report No. GAO-06-1070, \xe2\x80\x9cDoD Personnel Clearances: Additional OMB Actions\n      Are Needed to Improve the Security Clearances Process,\xe2\x80\x9d September 2006\n      GAO Report No. GAO-06-706, \xe2\x80\x9cManaging Sensitive Information: DoD Can More\n      Effectively Reduce the Risk of Classified Errors,\xe2\x80\x9d June 2006\n\n      GAO Report No. GAO-05-207, \xe2\x80\x9cHigh-Risk Series: An Update,\xe2\x80\x9d January 2005\n\nDoD IG\n      DoD IG Report No. D-2003-112, \xe2\x80\x9cContracting Practices of the Defense Security Service\n      for Personnel Security Investigations,\xe2\x80\x9d June 27, 2003 (For Official Use Only)\n\n      DoD IG Report No. D-2003-066, \xe2\x80\x9cInformation System Security Controls Over the Use\n      and Protection of Social Security Numbers Within DoD,\xe2\x80\x9d March 21, 2003\n\n      DoD IG Report No. D-2003-036, \xe2\x80\x9cSupply Inventory Management Property\n      Accountability at Research, Test, and Evaluation Installations,\xe2\x80\x9d December 16, 2002\n      DoD IG Report No. D-2002-138, \xe2\x80\x9cSecurity Allegations Concerning the Management\n      and Business Practices of the Defense Security Service,\xe2\x80\x9d August 9, 2002\n\n\n\n\n                                            28\n\x0cAppendix C. Review of Defense Property\n            Accountability System Records\nAt the outset of the audit, DSS officials informed the audit team that they could not\naccount for 501 laptops out of a universe of 2,826, of which 1,483 were transferred to\nOPM and used for PSIs. According to DPAS records, DSS could not account for\n501 laptops, leaving 2,325 accounted for. To check for accuracy, the audit team\nrandomly sampled 50 DPAS records. We ran a floor-to-book and book-to-floor review\nto see whether the information technology items (including laptops and desktops) listed\nfor the individuals in DPAS records matched the items that those individuals\nmaintained in their custody.\n\nOnly 23 of the 50 (46 percent) records in DPAS matched with what DSS personnel had\nin their possession. Included in the 50 DPAS records we reviewed were 7 of the\n2,325 laptops that DSS should be able to account for. However, DSS accurately\nrecorded only five of the seven laptops in DPAS. Specifically, two laptops were\nlocated on the floor but were not accurately listed in DPAS.\n\nBecause of the inaccuracies found in DPAS, we cannot be certain that 501 is the total\nunaccounted-for DSS laptop inventory.\n\n\n\n\n                                      29\n\x0cAppendix D. Management Comments on\n            the Finding and Audit Response\n           The Director, Defense Security Service provided comments on the finding that\n           addressed accountability of laptops, CACs, and safes. 17\n\n           Laptops\n           The Director, Defense Security Service provided comments on the following:\n\n                   \xe2\x80\xa2    compliance with DoD Instruction 5000.64,\n                   \xe2\x80\xa2    accounting for DSS laptops,\n                   \xe2\x80\xa2    risk associated with unaccounted-for laptops, and\n                   \xe2\x80\xa2    public notification.\n           Management Comments on Compliance With DoD Instruction 5000.64. The\n           Director, Defense Security Service stated that the audit team is holding DSS to a higher\n           standard than the rest of DoD by requiring serial number accountability. The Director,\n           Defense Security Service pointed out that DoD Instruction 5000.64 states:\n           Accountable property records shall be established for all property purchased, or\n           otherwise obtained, having a unit acquisition cost of $5,000 or more; leased assets\n           (capital assets) of any value; and assets that are sensitive or classified.\n\n           DoD Instruction 5000.64 references DoD Manual 4100.39-M, Volume 10, Table 61\n           (Reference (k)), which lists examples of sensitive items\xe2\x80\x94such as nonnuclear missiles\n           and rockets; arms, ammunition, and explosives; drugs and other controlled substances;\n           and precious metals\xe2\x80\x94but does not list laptops that contain PII. Furthermore, the\n           Director noted, DoD Instruction 5000.64 defines sensitive items as property requiring a\n           high degree of protection and control due to statutory requirements or regulations.\n           Nowhere in DoD Instruction 5000.64, she stated, is there a requirement that DoD\n           Components track information technology equipment or other items containing PII by\n           serial number or other unique identifier. The Director stated that not all laptops in DSS\n           or DoD contain PII; therefore, not all laptops should be required to be tracked by unique\n           identifier.\n\n           Audit Response. Officials from the Office of the USD(AT&L) stated that the intent of\n           DoD Instruction 5000.64 is that DoD managers should consider their specific\n           circumstances and use prudent judgment in determining what assets they should account\n           for by unique identifier. Because 249 of the 501 initially unaccounted-for laptops at\n           DSS were used for PSI investigations and may have contained PII, DSS managers\n           should have accounted for these assets in a manner that would allow them to determine\n           from their property records where each laptop is, and who is responsible for it at all\n           times. Without accounting for laptops by unique identifier, it is extremely difficult for\n           management to determine what laptops are missing and what laptops are accounted for.\n17\n     We considered the comments made by the Director on the finding discussion and made appropriate adjustments.\n\n\n\n                                                        30\n\x0c            For example, DSS management spent approximately 3 years and significant resources to\n            account for laptops and demonstrate they had not left the control of the Government. If\n            DSS had implemented controls including accounting for laptops using unique identifiers\n            during the transfer, DSS management could have tracked down the 501 initially\n            unaccounted-for laptops faster and with fewer resources. The Director made the point\n            that not all laptops at DSS contain PII; therefore, DSS should not have to account for all\n            its laptops by unique identifier. However, because DSS lacked controls to demarcate\n            which laptops contained PII, and any laptops can contain PII, DSS should account for all\n            its laptops by unique identifier.\n\n            Furthermore, both the 2002 version of DoD Instruction 5000.64, paragraph 5.3.1.1, and\n            the 2006 version, paragraph 6.3, state:\n                     Although the Department of Defense may not have physical custody, to\n                     maintain effective property accountability and control and for financial\n                     reporting purposes, DoD components shall establish records and maintain\n                     accountability for property (of any value) furnished to contractors as\n                     Government Furnished Property. This requirement includes property that is\n                     loaned and/or otherwise provided to outside entities such as Federal agencies,\n                     State and local governments, and foreign governments.\n\n            To maintain this accountability, the 2002 version 18 specifically lists data elements\n            applicable to property accountability records and systems in paragraph 5.3.3.8 to be\n            \xe2\x80\x9cpart number, National Stock Number, serial number, bar codes, or other unique\n            identifiers.\xe2\x80\x9d The audit team used serial numbers as the unique identifier to account for\n            laptops because we found from reviewing the DSS DPAS inventory records that serial\n            numbers were the only consistent unique identifier used by DSS. Therefore, the audit\n            team was not holding DSS to a higher standard, but used what DSS records had\n            available to clearly identify the unaccounted-for laptops. The overall purpose was to\n            physically verify the specific missing devices, and serial number, of all unique\n            identifiers, was found to be the best data element in this case.\n\n            Management Comments on Accounting for DSS Laptops. The Director stated that\n            the audit team mischaracterized the accountability standard of unique identifier by\n            identifying 193 laptops as not fully accounted for. The Director further stated the audit\n            team considered laptops fully accounted for only when the team obtained a scanned\n            copy of the back of the laptop, a DD Form 1348-1 with a serial number, or a DA Form\n            3161 with a serial number. The Director pointed out that the draft audit report\n            acknowledged that DSS further accounted for 186 of the remaining 193 laptops. The\n            Director noted that DSS was able to coordinate with OPM and use a \xe2\x80\x9cnew investigative\n            methodology\xe2\x80\x9d to account for the remaining seven previously unaccounted-for laptops.\n\n            The Director stated that, prior to receiving the draft report, DSS had accounted for 186\n            of the 193 laptops using a \xe2\x80\x9cnaturally progressive investigation.\xe2\x80\x9d Although DSS initially\n            attempted to meet the standard set by the DoD IG by accepting only scanned copies of\n            the laptops, DD forms 1348-1A, and DA forms 3161 as serial number identification,\n            DSS management finally used a standard of \xe2\x80\x9creasonable degree of certainty\xe2\x80\x9d to\n\n\n18\n      The 2002 version of DoD Instruction 5000.64 was the version applicable during the transfer of the PSI function\n     from DSS to OPM, which occurred in February 2005.\n\n\n\n                                                          31\n\x0cdemonstrate that the PII contained on the laptops was properly disposed of or\nsafeguarded.\n\nFinally, the Director noted that DSS had been able to account for the remaining 7 of the\n501 initially unaccounted-for laptops after the audit team issued the draft report. DSS\nstaff accounted for the remaining laptops by comparing the laptop serial numbers\nentered on DRMO turn-in documents with the serial numbers entered in DPAS. DSS\nfound that seven of the serial numbers listed on the turn-in documents were never\nentered in DPAS. Additional analysis showed that the seven laptops were each one digit\noff from the seven remaining unaccounted-for laptops listed in the property records.\nThe Director concluded that the difference in the serial numbers may have been caused\nby data entry errors, which have since been corrected; therefore, DSS has accounted for\nthe previously unaccounted-for laptops.\n\n Audit Response. The audit team did not mischaracterize DoD Instruction 5000.64.\nThe intent of the Instruction is that DoD managers should assess their specific\ncircumstances and use prudent judgment in determining what assets they should account\nfor using an unique identifier. Considering that 249 of the previously unaccounted-for\nDSS laptops potentially contained PII including financial, medical, and other personal\ninformation of military and civilian employees who were investigated for personnel\nsecurity clearances between 1997 and 2005, prudent management should have\naccounted for these laptops in a manner that would allow it to verify the location and\nexistence of each laptop. Accurate property records that use unique identifiers to track\nlaptops enable management to have that level of control over the property accountability\nof laptops.\n\nThe Director\xe2\x80\x99s assessment of how the audit team determined a laptop was fully\naccounted for was not completely accurate. The audit team determined the laptop was\nfully accounted for if DSS could verify the existence of the laptop or could fully confirm\nits disposal. Because of the sensitive nature of PII on the laptops, the audit team\ndifferentiated between laptops that were fully accounted for and laptops that could be\naccounted for by a standard of reasonable certainty. We determined laptops were fully\naccounted for if we could physically locate them or verify documentation of their\ndisposal through a DoD turn-in document. The auditors documented the existence of the\nlaptops by scanning the unique identifier (serial number or barcode) on the back of the\nlaptop, or documenting the disposal of the laptop by obtaining a copy of the DoD turn-in\ndocument and verifying the unique identifier listed on the document. The audit team\nconsidered unique identifiers other than serial numbers; however, at DSS, serial\nnumbers were used because DSS had not consistently used any other unique identifier\nfor the laptops. The audit team acknowledged in the audit report that DSS was able to\naccount for the remaining 193 unaccounted-for laptops using a reasonable degree of\ncertainty.\n\nWe reviewed the methodology DSS used to account for the remaining 7 of the 501\nunaccounted-for laptops and obtained supporting documentation. We agree with the\nDSS conclusion that the remaining seven unaccounted-for laptops may be attributed to\ndata entry errors. Therefore, we have deleted the draft recommendations for DSS to\ncontinue working with OPM to locate the remaining unaccounted-for laptops and to\nimplement steps to mitigate the risk of unauthorized disclosure of the personally\nidentifiable information stored on those laptops.\n\n\n\n                                       32\n\x0cManagement Comments on Risk Associated With Unaccounted-for Laptops.\nAccording to the Director, DSS management has been able to show with a reasonable\ndegree of certainty that the risk of unauthorized disclosure of PII is low to nonexistent.\nThe Director emphasized that neither DoD IG audit team nor DSS investigators found\nany evidence of theft or malicious intent regarding the unaccounted-for laptops. In\naddition, the Director stated that DSS had properly disposed of more than 5,600 hard\ndrives and more than 1,800 laptops in accordance with DoD regulations. Further, the\nDirector stated that, of the 33 hard drives the audit team reviewed, only 17 contained\nPII, and many of those hard drives contained PII of DSS agents, not the PII of the\nsubjects of security clearance investigations.\n\nAudit Response. While we do not dispute that there has been no indication of theft or\nmalicious intent regarding the unaccounted-for laptops, or that DSS has properly\ndisposed of thousands of laptops and hard drives, some risk still exists because the\ninitial baseline of 501 laptops was not accurate. As a result, additional unaccounted-for\nlaptops may still exist. We also do not dispute that DSS followed National Security\nAgency guidance or that DSS reviewed internal procedures for reformatting, storing,\nand disposing of hard drives. However, we disagree that the risk is eliminated because\nmuch of the PII on the hard drives tested belonged to DSS agents rather than to the\nsubjects of security investigations. PII of DSS agents requires the same level of\nprotection as that of the subjects they are investigating.\n\nManagement Comments on Determination of Public Notification. The\nDirector, Defense Security Service determined public notification was not\nnecessary in accordance with DoD Regulation 5400.11-R, \xe2\x80\x9cDepartment of\nDefense Privacy Program,\xe2\x80\x9d May 14, 2007, and the Director of Administration\nand Management Memorandum, \xe2\x80\x9cSafeguarding Against and Responding to the\nBreach of Personally Identifiable Information,\xe2\x80\x9d September 21, 2007.\nSpecifically, DSS considered a two-part test, which included assessing (1) the\nlikely risk of harm and (2) the relative likelihood of the risk occurring. In\ndetermining the likely risk of harm, DSS considered the following five factors\nin accordance with the memorandum:\n\n       \xe2\x80\xa2 the nature of the data elements breached,\n       \xe2\x80\xa2 the number of individuals affected,\n       \xe2\x80\xa2 the likelihood that the information is assessable and usable,\n       \xe2\x80\xa2 the likelihood that the breach may lead to harm, and\n       \xe2\x80\xa2 the agency\xe2\x80\x99s ability to mitigate the risk of harm.\nAccording to the Director, Defense Security Service, when determining whether\nnotification was necessary, she took into consideration not only the five factors but also\nthat there was no evidence that any of the laptops were stolen or outside control of the\nGovernment. Furthermore, the Director considered that, ultimately, DSS would be able\nto account for the remaining unaccounted-for laptops. The Director, Defense Security\nService informed the Defense Privacy Office of its determination in a memorandum\ndated January 15, 2008. The Defense Privacy Office agreed with the DSS\ndetermination.\n\n\n\n                                        33\n\x0cAudit Response. We agree that the Director, Defense Security Service, working with\nthe Defense Privacy Office, made the determination that public notification was not\nwarranted. The Defense Privacy Office has the authority to work with DoD\nComponents to make the decision on public notification.\n\nCACs\nManagement Comments on CACs. The Director, Defense Security Service stated the\nDSS Security Office began reconciling DoD CACs in July 2006. The Director further\nstated that OPM issued the seven remaining outstanding CACs after the employees\ntransferred to OPM. Consequently, DSS is not responsible for retrieving the\noutstanding CACs. The Director, Defense Security Service added that OPM has since\nobtained six of the seven outstanding CACs and is continuing its efforts to locate the\nremaining CAC.\n\nAudit Response. As result of management comments and additional work, we deleted\nthe draft recommendation on CACs.\n\nSafes\nManagement Comments on Safes. The Director stated that DSS received a final\naccounting of safes from OPM, certifying that DSS transferred 23 safes to OPM. The\nOPM certification stated that none of the safes contained sensitive or classified\ninformation and that all the safes were transferred to OPM but remained in place. The\nDirector also pointed out that DSS and OPM conducted a thorough search and\ndocumented receipt of all known safes. The Director also stated that since the DoD IG\naudit, DSS has implemented enhanced control measures to account for safes, including\nassigning barcodes and entering information on safes in DPAS.\n\nAudit Response. After further consideration of the due diligence performed by DSS\nand other mitigating factors, we determined that no additional action is necessary and\ndeleted the draft recommendation to receive a final accounting of safes from OPM. We\ncommend DSS for tagging all safes with unique identifiers in the form of bar codes and\nincluding safes in their official property records.\n\n\n\n\n                                     34\n\x0cAppendix E. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense for Intelligence\nAssistant Secretary of Defense (Networks and Information Integration)/DoD Chief\n   Information Officer\nDirector, Defense Privacy Office\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\n\nOther Defense Organizations\nDirector, Defense Security Service\n\nNon-Defense Federal Organization\nOffice of Personnel Management\n\n\n\n\n                                     35\n\x0cCongressional Committees and Subcommittees, Chairman\n  and Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Oversight and Government Reform\nHouse Subcommittee on Government Management, Organization, and Procurement,\n   Committee on Oversight and Government Reform\nHouse Subcommittee on National Security and Foreign Affairs,\n  Committee on Oversight and Government Reform\n\n\n\n\n                                   36\n\x0cUnder Secretary of Defense for Acquisition,\nTechnology, and Logistics Comments\n\n\n\n\n                       37\n\x0c38\n\x0cDirector of Administration and Management\nComments\n\n\n\n\n                     39\n\x0cFinal Report\n Reference\n\n\n\n\nRevised\n\n\n\n\n               40\n\x0cDefense Security Service Comments\n\n\n\n\n                     41\n\x0c42\n\x0c     Final Report\n      Reference\n\n\n\n\n     Revised\n\n\n\n\n43\n\x0c44\n\x0c45\n\x0c46\n\x0c     Final Report\n      Reference\n\n\n\n\n     Revised\n\n\n\n\n47\n\x0c48\n\x0c     Final Report\n      Reference\n\n\n\n\n     Added\n\n\n\n\n49\n\x0c50\n\x0c     Final Report\n      Reference\n\n\n\n\n     Deleted\n\n\n\n\n51\n\x0cFinal Report\n Reference\n\n\n\n\nDeleted\n\n\n\n\nDeleted\n\n\n\n\nDeleted\n\n\n\n\n               52\n\x0c     Final Report\n      Reference\n\n\n\n\n     Renumbered\n     as\n     Recommen-\n     dation 1.f.\n\n\n\n\n     Revised\n     Page 1\n\n\n\n\n53\n\x0cFinal Report\n Reference\n\n\n\n\nRevised\nsecond\nbullet\nthird bullet\n\n\n\n\nRevised\n\n\n\n\nRevised\n\n\n\n\nRevised\n\n\n\n\n               54\n\x0c     Final Report\n      Reference\n\n\n\n\n     Revised\n\n\n     Revised\n     Page 26\n\n\n     Revised\n     Page 29\n\n\n\n\n55\n\x0c\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nReadiness and Operations Support prepared this report. Personnel of the\nDepartment of Defense Office of Inspector General who contributed to the report\nare listed below.\n\nPaul J. Granetto\nRobert F. Prinzbach II\nKimberley A. Caprio\nPatricia A. Papas\nRhonda L. Ragsdale\nRobert P. Goldberg\nAndrew R. MacAttram\nDavid A. Palmer\nAntwan Jackson\nBridgette A. Seebacher\nMarlene Cruz-Freire\n\x0c\x0c'